Posted
by
timothy
on Thursday August 16, 2012 @12:59PM
from the just-communicate-with-oil dept.

wiredmikey writes "Saudi Aramco, Saudi Arabia's national oil company and the largest oil company in the world, confirmed that is has been hit by a cyber attack that resulted in malware infecting user workstations and forcing IT to kill the company's connection to the outside world. '..An official at Saudi Aramco confirmed that the company has isolated all its electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption that affected some of the sectors of its electronic network,' the company wrote in a statement. This incident follows an attack on systems at the National Iranian Oil Company back in April, when a virus was detected inside the control systems of Kharg Island oil terminal, which also resulted in the company taking its systems offline. In response to continued cyber attacks against its networks and facilities, Iran earlier this month said it plans to move key ministries and state bodies off the public Internet to protect them from such attacks."

When I was a Jr IT Admin, and our systems got infected a some Malware, or a worm we didn't call it a cyber attack, we just bitched about it and fixed the problem and wondered who the hell opened the attachment they got in their email.

No no, the Zionist Lobbies secretly control [youtube.com] all American politicians. They're too busy with that to bother with sabotage. For that, look to Mossad [foreignpolicy.com]. Let's keep our conspiracy theories straight!

That's not clear from what's being reported here. The summary mentions a facility-specific attack on an Iranian oil terminal, but from the description this Saudi virus infection just seems to be an ordinary infection of a bunch of PC workstations.

Yeah, the article links the two but the articles information shows it as being a generalized malware or virus. They may be being overcautious on this one, but the article attempts to inject fear, speculation, and link an unrelated incident to this.
Glad I have adblocker to make sure these fearmongering to sell adspace jackasses got no money from my visit.

First create the demand with the 'cyber attack', then be ready to supply the solution.

Should be able to charge a huge price tag.

First of all they already pay a huge price tag for everything. That is the downside of having too much money and no need for anyone to actually understand anything.

Second, if you knew how things were run, you would be surprised we do not have continuous failures due to infections.

Transformers, switchgear and other control room infrastructure is built and once every 5 years someone will go there to change some filters. The whole thing runs 24/7 automatically and is being monitored remotely. After 20+ years,

Absolutely. That's not because Saudi Aramco is incompetent. I believe they would actually be one of the largest companies in the world, if they weren't state owned. They run operations on a truly mind blowing scale with very few problems or disruptions (when was the last time you heard about them?).

The reason is unfortunately far more depressing than one incompetent company. The reason is that the industrial process control world long ago standardized on Microsoft DCOM as the protocol used for monitoring and controlling large systems. DCOM is an insanely complicated protocol - trust me on this, I'm one of the very few people in the world who has reimplemented it. Therefore it's natural to use Microsofts implementation, which means Windows. Technically the protocol is called "OLE for Process Control" (OPC). In particular Saudi Aramcos Abqaiq stabilization facility, through which around 1/8th of the worlds oil supply flows, uses OPC extensively [integrationobjects.com].

Incidentally Abqaiq, like all of Aramcos big facilities, is defended by some pretty insane security. The guards there are heavily armed and shoot first, ask questions later. They need to - a few years ago suicide bombers attempted to detonate a truck inside the complex [saudidefence.com]. I've read they also have SAM sites and fighter jets on 24/7 standby in case somebody tries to crash a plane into it.

I think it's very likely that this is an extension of America and Israels war against Iran, targeting their industrial/economic infrastructure instead of just uranium enrichment. The MO matches that of Stuxnet and we know that they're rather careless about letting their creations escape and cause havoc outside the intended targets. The stories we saw recently about code encrypted under a hash of various file paths sounds strongly like it was intended to match an unknown computer that performs a specific function, rather than a specific computer that was already reconned, otherwise the key could just be a hash of the HDD serial numbers/MAC addresses or other things that are less likely to change. One can imagine that the target computer might be inside an Arabic speaking oil refinery. Typically these refineries and facilities are built by a small number of western contractors. One can also imagine that computers meeting the target configurations exist not only in Iranian facilities but also other countries.

I understand, you need Windows to operate the main system, but... you can isolate this servers from the rest of your network. Make them accessible only via Remote desktop and have all the other PCs on Linux.
Yes, it costs more and you need to train your employees to use different GUIs. In the end is your improved downtime and security worth the cost?

In the end you need to get data to and from the computers. As long as you have buffer overflows and executable data formats like excel and word there will be a way in. Remember the Stuxnet attacks against Iran were based on USB pen drive transfers. This means that network isolation is not adequate on its own and may even be an outdated counterproductive move.

I think it's very likely that this is an extension of America and Israels war against Iran, targeting their industrial/economic infrastructure instead of just uranium enrichment. The MO matches that of Stuxnet and we know that they're rather careless about letting their creations escape and cause havoc outside the intended targets. The stories we saw recently about code encrypted under a hash of various file paths sounds strongly like it was intended to match an unknown computer that performs a specific function, rather than a specific computer that was already reconned, otherwise the key could just be a hash of the HDD serial numbers/MAC addresses or other things that are less likely to change. One can imagine that the target computer might be inside an Arabic speaking oil refinery. Typically these refineries and facilities are built by a small number of western contractors. One can also imagine that computers meeting the target configurations exist not only in Iranian facilities but also other countries.

Iran is not an Arabic country, Iranians are not Arabs, they do not speak Arabic - they speak Farsi. It's a completely different language, and while they do use a version of the Arabic script, the words are completely different and folders, paths etc. will be likewise entirely different between an Iranian and an Arab installation.

These sorts of attacks go well beyond an inconvenience on a desktop, potentially affecting physical operations. It seems like the media doesn't know enough to dig deeper when something goes wrong.

Examples of media not doing investigative journalism:No reports that I could find mentioned the possiblity of a cyber event, or solar flares and the arriving CME as possibly affecting power in India recently. They were quick to blame capacity, even though the initial outage struck at about 2 AM, which is not at p

When I was a Jr IT Admin, and our systems got infected a some Malware, or a worm we didn't call it a cyber attack, we just bitched about it and fixed the problem and wondered who the hell opened the attachment they got in their email.

Yes, because what you've been hit with is exactly the same as what they've been hit with.

There are different approaches to the same problem, often with different motivations (even for the same outcome).

In this case, I'm guessing it's because they either have highly skilled Westerners working for them and there was a really bad threat, or this is a typical display of Arab Ingenuity. For whatever reason, "fixing" something over there means hitting it with a hammer until it's fixed, Inshallah.

Interesting that the outcome may have been from drastically oppositional approaches.:P

They don't want us to be able to see scantily clad women. That makes me pissed off right there.

On the other hand, this was an attack against their oil export capacity. The faster the rest of the world can suck the hydrocarbons out of the middle east, the faster we can go back to letting them fight amongst themselves over god's own sandbox on earth...

The target is an arm of the Saudi state. The same state which makes it a criminal offense to try to preach any faith other than Islam, or for women to leave the house without their male owner in escort. This attack is just a big game of Dicks vs Assholes, and right now I'm cheering for the Dicks.

Iran earlier this month said it plans to move key ministries and state bodies off the public Internet to protect them from such attacks

One wonders why they were on the internet (public or otherwise) to begin with.

Because they need to communicate with citizens? It's like a business that has a website, but insists that you phone htem to place an order because they don't want to have an attack that may expose customer data.

Of course, even airgapped networks aren't invulnerable... I hear some centrifuges got de

this attack only affected workstations, so its safe to assume it wasnt taylored specifically to the corporation like say stuxnet.

more importantly, who seriously cares. it seems like every other article about malware or worms is ginned up as a cyber attack or cyber terrorism or some other buzzword invented by the DoD or defense contractors to gin up support for defense spending. If we're keeping score, the siberian pipeline attack by the CIA in 1982 is when "cyber" attacks first started. http://en.wiki [wikipedia.org]

i have a simple question. why are these systems - and systems like them in the USA such as power grid systems - attached to the world-wide internet in the first place? surely people understand that critical systems must be physically isolated, yes? they do have two computers, one on each side of the room, yes? one set of computers controls the critical hardware, and the other set is for administrative purposes, to do email, surf for porn when the staff are bored and so on, yes? do these people in these

I think perhaps they are, but the reporting doesn't describe exactly what was infected. Not all of the computers at any large organisation are used for ultra-high-security work - there's also a lot of office staff with desktops for routine administrative things which become a lot easier if they have email and web access to do research and communicate with the outside world.

Interesting side effects may come from this. These are very targeted and sophisticated attacks, the hardest to defend against. Countries like Iran and Saudi Arabia could become the security leaders in the world simply from having to defend themselves against the best of the best.

One thing China is very good at is not showing their hand too early. They plan long term, infiltrate, bide their time and strike when everything is perfect, leaving their targets unprepared (scary, huh?). This is in contrast to

No way the US or Israel would strike at the jugular of the world's economy, it doesn't make sense. I'd guess Iran (make some countries drop the embargo), "wreck their shit" anarchists (this is a great way to wreck shit) or eco-terrorists (reduce CO2 emissions and give the world a taste of what will happen when the oil runs out).

I used to work for a process controls company. Everything migrated from purpose-built embedded code and machines to COTS hardware to "save money."

The result was that the system became 5 times more expensive, 10 times more complicated, and 20 times more failure-prone.

Instead of buying a $1000 control board that was built for its special purpose, our customers instead had to buy a $10,000 PC running Windows, preinstalled with the McAfee Virus (which caused plenty of problems of its own with real-time control)